Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Monthly Archives: June 2013

Don’t touch that dial! Or that remote. Researchers have worked out a way to use gestures to control your home devices using the Wi-Fi network and an embedded receiver in your router.

It seems I’m not the only one obsessed with new user interfaces for controlling the internet of things. Four researchers at the University of Washington have unveiled their research using Wi-Fi to build out a gesture-based interface for connected devices in the home. They call it WiSee.

The technology would be embedded in a Wi-Fi device, like a router or access point and would figure out the motions someone was making based on how those motions affected the Wi-Fi network.

For those who don’t think about the electromagnetic radiation Wi-Fi produces (that’d be most of us) it’s important to realize that Wi-Fi is sending out a steady array of signals that bounce and bump into things into your home. If you could see the airwaves in the 2.4 GHz or 5 GHz band you’d see that every move results in a ripple effect, like a type of radar system.

Normally those ripples are too small to be detected, but the WiSee researchers have discovered algorithms that help amply the Doppler effect created by a gesture disturbing a Wi-Fi network. It then can translate that difference into one of nine corresponding gestures with 94 percent accuracy rate.

Check out the video above and for those who have read the Hitchhiker’s Guide to the Galaxy feel free to recollect Zaphod’s challenges in getting the radio in the Heart of Gold tuned to a specific station and stay there. For those who have missed the book, he basically has to stay very still.

The researchers at WiSee have solved this challenge using an opening sequence of gestures that would act as a means to turn on the receiver and let it know you are ready to take action. From the paper on the topic:

Over a 24-hour period, WiSee’s average false positive rate—events that detect a gesture in the absence of the target human—is 2.63 events per hour when using a preamble with two gesture repetitions. This goes down to 0.07 events per hour, when the number of repetitions is increased to four.

The technology differentiates from different people in the room by using MIMO, an antenna technology that relies on multiple antennas on a device and at an access point that essentially identifies and tracks the “target user.” The paper notes that the WiSee receiver can identify the correct person as the target 90 percent of the time in a room of three people.

Comcast users will soon be contributing to the company’s Wi-Fi network coverage through a gateway that transmits a public Wi-Fi signal that can be accessed by any Xfinity subscriber.

Comcast is making it even easier for its broadband subscribers to access the Internet outside the confines of their homes.

For the past couple of years, the company, along with several other cable operators, has been building out a Wi-Fi network in public areas, such as train platforms and in small businesses such as cafes and retail locations, to allow its broadband customers mobile access to the Internet at no additional charge.

The company has announcements that will expand this network.

The first is the launch of the new home-based, neighborhood hot-spot initiative, in which subscribers will host Wi-Fi hot spots that other Comcast customers can use as part of their monthly broadband service. The way it works is that Comcast subscribers who are using the company’s newest wireless gateways for home Wi-Fi will broadcast an additional Xfinity Wi-Fi signal. And that additional signal will be the one that other Comcast customers, who already have access to Comcast’s public Wi-Fi network, will use.

This signal is completely different from the signal that subscribers have in their home. This means that if customers subscribe to a 50Mbps broadband service, they will have full access to that speed and capacity, without any interference or degradation in service from the public Wi-Fi portion.

“Our broadband customers will continue to get the service that they are paying for,” Tom Nagel, senior vice president of business development, said in an interview. “That was extremely important to us in designing this product.”

Indeed, it also means that people can keep their home Wi-Fi networks more secure. Instead of giving out their password to visitors, these people can use the public Comcast Wi-Fi network, which is transmitting from the same gateway device.

The only catch is that the visitors must also be Comcast Xfinity broadband customers. If they are not, they can get free access to the networks on two separate occasions. But after that they will have to pay for usage.

Comcast started testing the new service last year in parts of Pennsylvania, New Jersey, Northern Virginia, and in and around Washington, D.C. Currently, more than 100,000 Xfinity Internet subscribers are using the new Wi-Fi access points.

Nagel said that customers will have the option to opt out of the community broadband initiative if they would like. But the new gateways that are being deployed in broadband subscribers’ homes by default will have the community Wi-Fi signal turned on.

The initiative is similar to a service that a Spanish company called FON launched in 2007. Just like Comcast, FON allowed people to share their home broadband connections via Wi-Fi. The router split the signal into a private signal used by the broadband subscriber indoors. And it also created a public signal for others to use outside of the home.

The idea behind FON was that people who participated in the network were given access to other FON users throughout the world. So if someone who lived in San Francisco and participated in the FON network traveled to Madrid, he would be able to access free Wi-Fi if he came in contact with other FON networks.

But the benefit for Comcast subscribers is not as easy to determine. Xfinity customers already get access to all of Comcast’s Wi-Fi hot spots at no extra charge. It’s bundled into their home broadband service. So in many ways, there is really no incentive to participate in the Comcast community Wi-Fi initiative. But given that customers have to opt out of the program, there’s a good chance that many people won’t even realize they are providing public Wi-Fi from their home broadband connection, simply by using Comcast’s gateway product.

Comcast’s Wi-Fi strategy

Wi-Fi has increasingly become an important part of Comcast’s overall strategy. And Nagel said that the home-based neighborhood hot-spot initiative complements the company’s existing Wi-Fi network and its efforts within the CableWiFi Alliance, which allows Comcast broadband customers to also get access to indoor and outdoor hot spots set up by other cable operators in other parts of the country.

Map of Comcast Xfinity Wi-Fi hot spots in and around Washington, D.C.

Also, Comcast and its CableWiFi Alliance partners announced that they have added tens of thousands of new access points to the network. And now Cablevision, Comcast, Time Warner Cable, Cox Communications, and Bright House Networks’ broadband customers have access to more than 150,000 indoor and outdoor Wi-Fi hot spots in more than a dozen major cities across the country.

The network has tripled in size since it was firstannounced last year, and it now represents one of the largest Wi-Fi networksin the country.

The way it works is that subscribers of any of these broadband providers can look for the “CableWiFi” network on their mobile devices. Then they can sign into the network using credentials that identify them as a broadband customer, and they are connected to the Wi-Fi network. After they have used the network once, those credentials can be saved on the device to automatically authenticate the next time they are in a CableWiFi hot spot.

Some of the major cities where the cable hot spots are up and running include: New York, Los Angeles, Chicago, Philadelphia, Atlanta, Baltimore, Boston, Washington, San Francisco, Kansas City, Mo., and Orlando and Tampa, Fla. Customers can check their broadband providers’ Web site for a nationwide coverage map.

Comcast most recently announced Chicago and Atlanta as cities with public Wi-Fi hot spots as part of the Cable Wi-Fi Alliance. And on Monday it is officially announcing Washington, D.C., as the next city to get Xfinity Wi-Fi. The company has set up public Wi-Fi hot spots in areas inside the city, such as Adams Morgan, Capitol Hill, Dupont Circle, and Georgetown. It’s also set up hot spots in Bethesda, Chevy Chase and Silver Spring in Maryland; and Arlington, Alexandria, and Woodbridge in Virginia.

The IT industry is caught in an increasingly tough battle against cyber crime and the professionals tasked with looking after information security face an onslaught of challenges and attacks.

Computer Weekly, in association with Trend Micro, invited a group of IT security leaders to a roundtable debate in Edinburgh to discuss what issues they were facing in the workplace, as well as how to address the threats.

Guests included information security leaders from Royal Bank of Scotland (RBS) and Tesco Bank through to public sector bodies such as the Forestry Commission and Edinburgh College.

Despite their differing organisations, a number of common themes arose from the discussions and many delegates were facing the same problems, whether their company was big or small, private or public.

“Law enforcement is redirecting resources from terrorism to help banks cope with the onslaught, which can’t be a good sign,” he said.

“Unfortunately there are increasing numbers of these criminal gangs, so expect to face more attacks from them.”

The type of attack has changed too, according to Rik Ferguson, vice-president of security research at Trend Micro.

“The biggest shift over recent years, and probably in the public consciousness in the past 18 months to two years, is very much the shift towards targeted attacks,” he said.

“The old threat landscape model was pretty much random – infect as many PCs as possible, take whatever data is available, and there is a direct path between attacker and victim.

“All of that is moving now changing to a targeted attack – be it on an individual, organisation, a company or a group of people that play an online game, but a target. A chosen target.”

So how are these newly-formed gangs of cyber criminals and their means of attack surfacing in the corporate environment?

Ferguson said social networks were still an issue for companies, but unlike many security commentators who focus on the threat posed by Facebook, he believed there was a bigger risk.

“There are definitely tools that criminals use for making very credible attacks from scanning social networks, but if you listen to a lot of security companies, they will spend a lot of time talking about the threat posed by Facebook. Certainly some valuable information does get shared there, but I think what is sadly neglected is LinkedIn,” Rik Ferguson said.

“It is not seen as a social network but as a professional network so it doesn’t count, apparently. But it is just a social network for people looking for a new job.”

Ferguson revealed personal details about roundtable guests, from passions about guitars to the ability to speak Spanish, having conducted just 20 minutes of research on LinkedIn, illustrating how the social network was there for all to see.

“You have to consider what open source intelligence is available about the employees at your company,” he said.

Mobile security

The other exploding trend in businesses is mobile devices. Delegates agreed when Ferguson discussed how the technology was increasingly working its way into offices across the country and poses a significant threat if security is left unchecked.

“Probably the least-protected end-point in all of your businesses, and probably the fastest growing section in your network, is the smartphone,” he said.

“The commonly-used Blackhole exploit kit got a version two rewrite last year and as well as a lot of extra features for defeating security companies, one of the other things it included was collecting statistics for mobile operating systems.

“It may not be supplying exploits yet for Android or iOS, but it notices when someone is using those devices. The next step is to start providing exploits for those systems. That would be an absolute game-changer for the mobile threat landscape, which is exploding anyway.”

Using apps as a way into mobile devices is also on the rise. To give an idea of scale, Ferguson said Trend Micro got the numbers “hopelessly wrong” when it predicted that by the end of 2012 there would 130,000 unique malicious apps just for the Android platform. Instead the figure reached 350,000.

“At the end of last year, we made a prediction for the end of 2013 and said, in that case, we fully expect to see more than a million malicious apps,” he said.

“Unfortunately, I got a new report two days ago and we are already at 530,000-plus so we are more than halfway there without being halfway through the year. It means a million is looking conservative.”

The human element

But how can IT security leaders tackle these growing issues when businesses themselves are going through a tough time?

A chief information security officer (CISO) from one of the UK’s leading financial institutions said: “We have all got legacy architecture and a limited budget. If we were drawing security systems up from scratch, we could build in all these things but it is difficult to [retro-fit].

“There is also the human element. We need to assume the human can’t spot a malicious email – so there will be compromises.

“They will open email attachments and all the awareness training in the world won’t stop this happening.”

Several delegates agreed that the human element was definitely their biggest challenge.

Neil Heydon-Dumbleton, head of group IT strategy, architecture and governance for the Royal London Group, said: “[You have to worry] when there are staff writing their passwords on the wall. We talk about protection but you have to look at the amount of legacy that is in business.

“We might be concentrating right now on how to keep the cloud secure for example, but we need to look back or those new defenses become really pointless.”

Jamie Gray, principal information development officer at NHS National Services Scotland, agreed that old issues are still giving him headaches.

“Working in the NHS, I have found a lot of the risk is still paper-based,” he said. “In an environment where you have patient records at the end of the beds, there is still a risk there.”

One delegate claimed it was the attitude of staff, with people who just want to get on with their jobs rather than wait and follow policy, which poses the biggest risk.

Others agreed, citing examples of sitting next to business travelers on planes where you could easily read customer data over a shoulder on their iPads, or being on trains where someone logs into their work email on a smartphone with little care for prying eyes.

So what is the answer? The key is all in the training, according to the head of ICT security at a financial services company.

“We have to focus on end-user awareness,” he said. “We will never fix the human – we have to look at ways to educate them, train them and try and stop these attacks from working.”

KPMG’s Jordan agreed, comparing cyber crime to other criminal activity where prevention is the best cure.

“There are good statistics from the police that prevention reduces the cost of managing crimes,” Jordan said.

“It is difficult to implement, but there must be budget set aside. You will never stop the attacks coming in, but you may stop employees [falling for them].”

There was mixed opinion of the effectiveness of user awareness training, with some guests saying there will always be those who ignore it or just don’t understand.

However, there was agreement that user education has to be attempted.

Ferguson said there should be better communication between the IT department and HR, bringing the need for awareness and staff training around information security to the forefront of everyone’s minds.

“The majority of issues we are facing are people-centric and not just in the sense it is the individual being attacked,” he said. “Before you invest in technology, there seems to be a number of things that need to be done that are also people-intensive and people-reliant to ensure the technology works.

“One of the biggest gaps in the corporate environment is between information security and HR. I think those are two departments that only talk when someone is being hired and someone is being fired. There is very little interaction beyond that.

“But looking at all those different areas where the person is the most important part, whether they are being attacked or trying to secure them, there is a lot more that could be achieved by bringing these people together – the functions that manage people and the functions that manage security.”

The threats may be getting bigger, more targeted and hitting more devices and networks than before, but a little common sense and a lot of training may go a long way to negating serious security issues in the enterprise.

“There is no lack of willingness,” said Jordan. “But it is about the effectiveness of getting it done.”

The Washington Post is reporting a top-secret National Security Administration data-mining program that taps directly into the Google, Facebook, Microsoft and Apple servers among others. “The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time,” reports the Post.

Details about the highly classified program, Project PRISM, are somewhat vague, but it appears that the NSA allows the Attorney General and Director of National of National Intelligence “to open their servers to the FBI’s Data Intercept Technology Unit, which handles liaison to U.S. companies from the NSA.”

“With a few clicks and an affirmation that the subject is believed to be engaged in terrorism, espionage or nuclear proliferation, an analyst obtains full access to Facebook’s ‘extensive search and surveillance capabilities against the variety of online social networking services,'” explainsThe Post.

From there, the NSA mines the data for suspects, then “hops” to their potential contacts, exponentially increasing the number of Americans that the NSA can spy on (by mandate, the NSA is supposed to monitor foreigners).

We reached out to Facebook for comment and they replied: “We do not provide any government organization with direct access to Facebook servers. When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.”

In a statement, Google said: “Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a backdoor for the government to access private user data.”

And Apple gave a statement to CNBC:

According to the Post’s slides (below), the number of PRISM partners has steadily grown over the years. Microsoft, the first partner, began in 2007, Yahoo in 2008; Google, Facebook and PalTalk in 2009; YouTube in 2010; Skype and Aol in 2011; and finally Apple, which joined the program in 2012,” explains the Guardian.

This revelation follows yesterday’s exposé by the Guardian on the NSA’s program to monitor phone data of every single U.S. call on the Verizon network.

The Post notes that resistance seems possible, given Twitter’s conspicuous absence from the list of companies.

Microsoft today launched its Bing Translator app for Windows (including Windows RT). We don’t usually write all that much about Windows apps, and translation apps aren’t exactly new, either, but it’s nice to see that Microsoft has finally brought virtually all of the features of its mobile translator app for Windows Phone, including camera-based translations for seven input languages, to the desktop. Bing Translator, which is only available in Windows’ Modern UI/Metro mode, supports a total of 40 languages and also allows you to download language packs for offline use.

This is par for the course for language translation apps these days. Google’s Translate for Android app also features all of these tools and supports 70 languages.

Microsoft’s implementation of the camera-based “augmented reality” translation mode is a bit smoother, however, as it will just overlay a translation over the camera image (and you can tap to save the caption). Google Translate, on the other hand, makes you tap on the words you want to translate. Admittedly, that’s not exactly hard, but Microsoft’s approach feels a bit easier and more like what iPhone users are accustomed to from tools like Word Lens.

Heavy Windows 8 users (there must be some…) will also appreciate that the app integrates with the Windows 8 “Share” charm to give you easy access to the translation tools.

While Facebook Home hasn’t proven to be a smash success so far, it picked up a handful of features today that might just coax a few more users to hop on board.

Amongst other things, the new Home allows you to pin your favorite apps to a dock — a basic feature, certainly, but something that’s been sorely missed since launch. Before, opening any of your apps (even those that you use all day, every day) required a bunch of extra taps.

While Facebook had previously suggested that such a dock might be able to automatically import the favorites from your previous homescreen of choice, that feature doesn’t seem to be in place here.

The Home tweaks come by way of an update to the core Facebook app, and it brings a few new tricks to that app, as well: you can now tweak the privacy settings for shared posts after the fact (in the not-so-rare occurrence that you’ve shared something with more people than you actually intended), and can now send multiple photos in one message.

What’s in this version:
• Easily change who can see something you’ve shared
• Send multiple photos in a single message—just tap the +
• Stability and memory improvementsNew if you’re using Facebook Home:
• Customize your app launcher by dragging the apps you use most to a new favorites tray
• Bug fixes
Learn more about getting Facebook Home updates in our Help Center: http://bit.ly/ZofWN4

Merit Network, the 21st Century Achievement Award winner for mobile access, leads the effort to expand broadband in Michigan.

REACH-3MC is bringing higher levels of Internet service, availability and affordability to remote and rural areas of Michigan by constructing 2,287 miles of middle-mile fiber-optic infrastructure.

Merit Network, Michigan’s nonprofit research and education service provider to community anchor institutions (CAI), is leading the broadband expansion project. Starting in 2010, Merit Network received two Broadband Technology Opportunities Program grants through the federal American Recovery and Reinvestment Act to help pay for the work. In total, Merit Network succeeded in bringing more than $100 million in federal funding to Michigan in addition to $30 million from private and local sources.

This is how REACH-3MC works: Merit Network is engaging seven commercial Internet service providers as grant sub-recipients to create the infrastructure that services all sectors of society, including homes, businesses and CAIs. The REACH-3MC network consists of a mainline network.

Merit and the grant sub-recipients construct fiber-optic laterals from the mainline to connect individual CAIs and businesses and to access cell towers and central office facilities. Both the mainline and laterals are constructed in parallel. Merit and sub-recipients each own fiber strands over various portions of the REACH-3MC network, ensuring competition at every interval. The network is governed by open-access principles enforced by the grant; ISPs cannot be denied access to the network where capacity permits.

The project aims to solve the lack of backhaul infrastructure in Michigan’s remote and rural areas, where residents have had challenges accessing information and CAIs and businesses have had to contend with substandard levels of Internet, telecommunication and networking access and services, putting those organizations at a disadvantage.

To address such limitations, REACH-3MC is providing 143 CAIs with 1 Gbps-dedicated connections to Merit, enabling collaboration with more than 230 other CAIs that are already connected.

Moreover, by expanding Merit’s footprint to more than 4,000 miles, Michigan’s public institutions have a mechanism to cut costs and provide more service to their constituents. More than 900 additional CAIs will have the opportunity to connect over time.

As a middle-mile project, the aim of REACH-3MC isn’t to directly connect every home and business in the network service area. Rather, the goal is to bring the backhaul infrastructure into rural regions and then give ISPs the opportunity to use the infrastructure to provide faster, cheaper and more reliable service.

All told, more than 1 million homes and 55,000 businesses in the REACH-3MC service area will benefit either as direct customers of a REA CH-3MC sub-recipient or indirectly through an existing service provider that obtains backhaul from a REACH-3MC sub-recipient.

The clarified stance comes following the launch of a porn app for the wearable computer system.

Google Glass can, in theory, be used for lots of things, but sexually explicit material is one area now off limits to developers.

“We don’t allow Glassware content that contains nudity, graphic sex acts or sexually explicit material,” according to Google’s Glass platform developer policies, which were updated Saturday to offer more information about what developers can and cannot do with the software they make for Glass, which Google refers to as “Glassware.”

Google’s clarified stance comes just as a Glass pornography app, called “Tits and Glass,” made by four developers at MiKandi, a mobile app store for adult content, launched Monday. Prior to Monday, Google’s glass developer policies did not specifically address sexual content.

The app, which purports to be the first adult software for Glass, lets users “share racy content from their devices directly to other Glass users and online” at the app website, its developers said. The software also comes preloaded with “premium adult photos,” with more adult content recorded using Google Glass on the way, Seattle-based MiKandi said in an announcement.

MiKandi only became aware of the new developer policies after its app was launched. As of press time, they had not been directly contacted by Google. As for whether the updated policies may change the company’s plans, “we’re discussing that right now,” said MiKandi co-founder and Glass porn developer Jesse Adams.

Google Glass is worn like regular glasses. The device, which currently is in the hands of several thousand people who paid US$1,500 to be among its first testers, includes a small, square display that hangs in front of the wearer’s right eye, next to a tiny camera.

The device has not been released to the general public, but critics have raised questions about privacy, such as the extent to which Glass is capable of gathering personal information about people nearby.

The company so far has largely stood back to let developers shape the direction of Glass applications. But some of the controversy surrounding Glass, including the recently updated developer policies, shows that, in some areas at least, Google will step in to draw more lines in the developer sandbox.

“Google must be afraid of how powerful their own Glasses are,” MiKandi’s Adams said.

Even without developers steering Glass into risque territory, the product is already feared by some as a tool for stalkers, perverts and pedophiles.

Several weeks ago, members of a U.S. congressional group on privacy wrote to Google CEO Larry Page requesting information about a host of issues, such as whether the company is considering revising its privacy policy to account for the sensory functions present in Glass.

Violations of its developer policies are violations of Glass’ API terms of service, Google says, “and can result in the disablement or removal of your application, being prohibited from providing future applications, or termination of your Google account.”

Still, MiKandi hopes to stay in the adult content space on Glass. “We’re not going to just stop,” Adams said. “We have to think about our next strategy.”

If a judge orders you to decrypt the only existing copies of incriminating files, are your constitutional rights against compelled self-incrimination being violated?

That’s the provocative question being raised as a Wisconsin man faces a deadline today either to give up his encryption keys or risk indefinite imprisonment without a trial. The defendant’s attorney, Robin Shellow of Milwaukee, said it’s “one of the most important constitutional issues of the wired era.”

Shellow is making a novel argument that the federal magistrate’s decryption order is akin to forcing her client to build a case for the government. That’s because encryption basically transforms files into unreadable text, which is then rebuilt when the proper password is entered, she said.

“Some encryption effects erasure of the encrypted data (so it ceases to exist), in which case decryption constitutes re-creation of the data, rather than simply unlocking still-existing data,” Shellow wrote in a court filing. (.pdf)

In a telephone interview Monday, she said “this area is a new way of thinking about encryption.”

Though rare, decryption orders are likely to become more common as the public slowly embraces a technology that comes standard even on Apple computers. Such orders have never squarely been addressed by the Supreme Court, despite conflicting opinions in the lower courts.

The latest decryption flap concerns Jeffrey Feldman, who federal authorities believe downloaded child pornography on the file-sharing e-Donkey network. They seized 15 drives and a computer from his suburban Milwaukee apartment with a search warrant. A federal magistrate has ordered Feldman to decrypt the drives by today.

Feldman has refused, citing the Fifth Amendment. A federal judge could find him in contempt as early as today and jail him pending his compliance.

The magistrate in the case stepped aside Monday after Shellow argued that only U.S. district court judges, not magistrates, have the legal power to issue decryption orders. As of now, the new judge in the case has not decided whether to uphold the magistrate’s order.

U.S. Magistrate William Callahan Jr. initially said the Fifth Amendment right against compelled self-incrimination protected Feldman from having to unlock his drives.

But last month, prosecutors convinced Callahan to change his mind. Among other reasons, the authorities were able, on their own, to decrypt one drive from Feldman’s “storage system” and discovered more than 700,000 files, some of “which constitute child pornography,” the magistrate said.

When the magistrate ruled against the government last month, the magistrate said the authorities did not have enough evidence linking Feldman to the data, and that forcing the computer scientist to unlock it would be tantamount to requiring him to confess that it was his. But that theory is now out the door, because the data on the decrypted drive contains pictures and financial information linking Feldman to the “storage system,” Callahan ruled last week.

Among the last times an encryption order came up in court was last year, when a federal appeals court rejected an appeal from a bank-fraud defendant who has been ordered to decrypt her laptop so its contents could be used in her criminal case. The issue was later mooted for defendant Romano Fricosu as a co-defendant eventually supplied a password.

Shellow said it was unclear whether her client even remembers the passwords to the 16 drives the authorities confiscated.

“The government is claiming that our client has the capacity to decrypt them,” Shellow said.

When it comes to mobile technology, it’s amazing how much can change in a few short years. We’ve gone from having low-powered, low-resolution devices to carrying pixel-packed smartphones with PC-like processing power. And we’ve gone from Verizon being the carrier for the latest and greatest Android gadgets to being one of the worst places an Android enthusiast can be.

To be fair, the carrier’s devolution as a serious Android player has been happening for a few years now. But over the last several months, the disadvantages of being an Android fan on Verizon have grown more and more difficult to ignore.

The latest reminder of Big Red’s big disappointment came this week with the HTC One — one of the best Android phones of the season and one that’s earned near-universal rave reviews. The HTC One launched on all the major U.S. carriers in mid-April. On Monday, Verizon finally announced it would offer the device — sometime “later this summer.”

We saw the same late-to-the-game effect with another one of the year’s highly sought-after Android contenders: the Galaxy S4. The phone launched on all the major carriers and even U.S. Cellular in late April; it didn’t hit Big Red until a full month later. Now, in the grand scheme of life, is waiting an extra month (or four) that big of a deal? Of course not. But for an Android enthusiast who’s been salivating over a smartphone for months already, it’s anything but ideal.

And here’s the real rub: Delayed availability isn’t even the worst part about being an Android fan on Verizon these days. In many cases, desirable Android experiences never make it to VZW at all. Take the Nexus 4, Google’s own current Android flagship. Want to use it on Verizon? Not gonna happen. The same will almost certainly apply to the upcoming “Google Edition” Galaxy S4 and HTC One phones. Why? Flip back to a little chapter called the Verizon Galaxy Nexus if you don’t already know.

It’s actually gotten to the point where anytime I write about a hot Android new device, I count the seconds from when I hit “publish” until the moment I see the inevitable disheartened comment: “Great news…except for those of us stuck on Verizon.” Let’s face it: With the exception of the Droid Razr HD phones last fall, pretty much every exciting Android device in recent memory has launched outside of Verizon’s domain (initially, at least, if not permanently). In fact, if I were to list the devices I’d consider the best overall Android phones on the market right now, three out of four wouldn’t currently be available to Verizon subscribers.

And then there’s the other stuff, like the carrier’s continued blocking (or “not blocking but not allowing,” if you want to play corporate word games) of apps like Google Wallet and its shady stance on Android tethering applications. Add in the fact that unlike the more common GSM-based networks, Verizon’s CDMA technology makes it impossible for you to bring in your own unlocked, non-carrier-specific device, and you’ve got a perfect storm of undesirable circumstances for the hardcore Android fan.

In the big picture, does any of that matter to Verizon? Probably not. Keeping things in perspective, true Android enthusiasts — the kind of people who care about this stuff — make up a small percentage of customers. Clearly, the carrier’s tactics aren’t having a negative effect on its bottom line; most folks just walk into a store every few years and pick out a new phone on the spot. And that’s perfectly fine.

If you happen to fall into the category of “Android enthusiast,” though, you’re different. You look at mobile technology in a way that’s anything but average. This stuff does matter — to you.